Re: Wheezy update of w3m?

To: Raphael Hertzog <hertzog@debian.org>, Ola Lundqvist <ola@inguza.com>, w3m@packages.debian.org, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Wheezy update of w3m?
From: Ola Lundqvist <ola@inguza.com>
Date: Fri, 25 Nov 2016 15:05:06 +0100
Message-id: <[🔎] CABY6=0=xiBaXeo1ML75yBg+xCufEvHX6fU3EFqWHgGQNCCfYag@mail.gmail.com>
In-reply-to: <[🔎] 20161125133939.3d5idepbhx4pl5dc@home.ouaza.com>
References: <[🔎] 20161124210547.GA27860@inguza.net> <[🔎] 20161125084657.xs33o7xbrwiype6x@home.ouaza.com> <[🔎] CABY6=0nwKK1U-S-B_SgeKwhG95h98x143+tkdrUiq2CB-pgTnQ@mail.gmail.com> <[🔎] 20161125133939.3d5idepbhx4pl5dc@home.ouaza.com>

Hi Raphael

See below.

On 25 November 2016 at 14:39, Raphael Hertzog <hertzog@debian.org> wrote:
>
> On Fri, 25 Nov 2016, Ola Lundqvist wrote:
> > I did not want to tag then no-dsa (without further analysis) due to the
> > following:
>
> And you expected that further analysis to be done by whoever would pick
> the package?

Yes that or myself when I got some more time this week.

> In that case, you could have left a comment along the lines
> of "security team tagged the issues as no-dsa, I'm not 100% sure we should
> do the same in wheezy, please review the CVE and feel free to tag them
> no-dsa as well if you agree with the security team's assessment".

Good point. I'll add that next time. This time I'll just make them
no-dsa as you seem to have assessed them better than I do.

>
> > 1) Our recent discussion regarding heap overflow (causing arbitrary code
> > execuition) not being protected by the compiler.
>
> It's hard to assess this one. But here we need HTML input and I expect it
> to be harder to inject birary data hosting code that we would like to
> execute.

That is a point. But are you sure it needs to be HTML? It can not be
just binary data over http? However I think binary data is quite easy
to inject. On the other hand I had not checked this in details.

> > 2) Stable security use no-dsa to mark that they are not immediately fixed
> > but could be fixed in a point release. Oldstable security do not have a
> > point release so therefore we should not use no-dsa as frequently.
>
> Right, but they tend to write "Minor issue, can be fixed in a point
> release" for the latter, this is not the case here.

I see. I was under the impression that this ", can be fixed in a point
relese" text is often forgotten. I'm probably wrong there.

> > However if you think they are minor enough I'll happily mark them no-dsa as
> > well.
>
> Please do.

Ok will do so.

// Ola

>
> Cheers,
> --
> Raphaël Hertzog ◈ Debian Developer
>
> Support Debian LTS: http://www.freexian.com/services/debian-lts.html
> Learn to master Debian: http://debian-handbook.info/get/




-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

References:
- Wheezy update of w3m?
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Wheezy update of w3m?
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Wheezy update of w3m?
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Wheezy update of w3m?
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: Avice about the importance of heap overflow in hdf5
Next by Date: Re: [pkg-lxc-devel] Wheezy update of lxc?
Previous by thread: Re: Wheezy update of w3m?
Next by thread: Wheezy update of libsoap-lite-perl?
Index(es):
- Date
- Thread